An efficient false alarm reduction approach in HTTP-based botnet detection

In recent years, bots and botnets have become one of the most dangerous infrastructure to carry out nearly every type of cyber-attack. Their dynamic and flexible nature along with sophisticated mechanisms makes them difficult to detect. One of the latest generations of botnet, called HTTP-based, uses the standard HTTP protocol to impersonate normal web traffic and bypass the current network security systems (e.g. firewalls). Besides, HTTP protocol is commonly used by normal applications and services on the Internet, thus detection of the HTTP botnets with a low rate of false alarms (e.g. false negative and false positive) has become a notable challenge. In this paper, we review the current studies on HTTP-based botnet detection in addition to their shortcomings. We also propose a detection approach to improve the HTTP-based botnet detection regarding the rate of false alarms and the detection of HTTP bots with random patterns. The testing result shows that the proposed method is able to reduce the false alarm rates in HTTP-based botnet detection successfully.

[1]  Mooi Choo Chuah,et al.  Detection and Classification of Different Botnet C&C Channels , 2011, ATC.

[2]  Dae-il Jang,et al.  Evasion technique and detection of malicious botnet , 2010, 2010 International Conference for Internet Technology and Secured Transactions.

[3]  Feng Liu,et al.  Modeling Connections Behavior for Web-Based Bots Detection , 2010, 2010 2nd International Conference on E-business and Information System Security.

[4]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[5]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[6]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[7]  Bong-Nam Noh,et al.  The Activity Analysis of Malicious HTTP-Based Botnets Using Degree of Periodic Repeatability , 2008, 2008 International Conference on Security Technology.

[8]  M. Eslahi,et al.  MoBots: A new generation of botnets on mobile devices and networks , 2012, 2012 International Symposium on Computer Applications and Industrial Electronics (ISCAIE).

[9]  M. Eslahi,et al.  Bots and botnets: An overview of characteristics, detection and challenges , 2012, 2012 IEEE International Conference on Control System, Computing and Engineering.

[10]  Kang G. Shin,et al.  Open WiFi networks: Lethal weapons for botnets? , 2012, 2012 Proceedings IEEE INFOCOM.

[11]  Ali A. Ghorbani,et al.  Automatic discovery of botnet communities on large-scale communication networks , 2009, ASIACCS '09.

[12]  Felix C. Freiling,et al.  Sandnet: network traffic analysis of malicious software , 2011, BADGERS '11.

[13]  Wei Jiang,et al.  Botnet: Survey and Case Study , 2009, 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC).

[14]  Farnam Jahanian,et al.  A Survey of Botnet Technology and Defenses , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[15]  W. Timothy Strayer,et al.  Detecting Botnets with Tight Command and Control , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[16]  Jan Kok,et al.  Analysis of the BotNet Ecosystem , 2011, CTTE.

[17]  Tung-Ming Koo,et al.  Construction P2P firewall HTTP-Botnet defense mechanism , 2011, 2011 IEEE International Conference on Computer Science and Automation Engineering.